[TALK] πŸ‡«πŸ‡· There Is No Place To Run : Assessing SAP Focused Run Security

β”‚β•‘ SAP Focused Run is the brand new product in the SAP world. Introduced in β”‚β•‘ 2020 it is the replacement of the current well known SAP Solution Manager. β”‚β•‘ It is a dedicated type of SAP System to manage all others in the company β”‚β•‘ landscape. In other words, this new product will be the technical backbone β”‚β•‘ of many business applications for companies in years to come. β”‚β•‘ β”‚β•‘ The first part of this talk will describe our research process used to β”‚β•‘ understand how this new product works, and how we discovered several β”‚β•‘ vulnerabilities. Attendees will learn how weaknesses in connected systems β”‚β•‘ can be leveraged to compromise SAP Focused Run and then, compromise the β”‚β•‘ rest of the landscape. β”‚β•‘ β”‚β•‘ In the second part of the talk, five different vulnerabilities found by β”‚β•‘ Onapsis Research Lab on different SAP products will be shared and β”‚β•‘ presented, along with a complete attack scenario affecting SAP Focused β”‚β•‘ Run. We will speak about vulnerabilities like Insecure Deserialization, β”‚β•‘ XSLT Injection, Code injection and Missing Authentication. β”‚β•‘ β”‚β•‘ Finally, we will provide all recommendations and mitigation strategies β–„ β”‚β•‘ related to issues covered in this talk.

About Yvan Genuer

Yvan Genuer is a Sr. Security Researcher at Onapsis. He has over 17 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for several vulnerabilities he originally reported. Furthermore, he has also conducted both trainings and talks about this topic in conferences.

fa-twitter: TWITTER