Penetration Testing mailing list archives
Re: SAP
From: Alex Alex <mis2ndg () yahoo com>
Date: 25 Mar 2002 14:46:49 -0000
In-Reply-To: <20020323184216.76962.qmail () web13803 mail yahoo com> The ITS is a Service that let users access to an R/3 resource using a standard browser. There are two main components, the wgate that intercept the html requests and passes them to the agate that make the translation from html to RFC for the specified R/3 system. You can find the agate and wgate on the same machine or tipically the wgate in DMZ and the agate in the local lan (more secure). The wgate is a simple web server (iis or apache, netscape etc..), while only recently the agate has been released also for linux. You can focus on the security of the wgate, after this you can focus on the transaction, i've found several ITS without https session enabled. You could demonstrate insecurity of the service (not encrypted using arp spoofing). I'm not a good code analyser but i could suggest you to analyse the heavy cookie usage by the application. On the ITS you can load several different custom services exported by the R/3 system using IACOR that are the templates that let you access different services on the R/3. Consider also to read the good manual shipped with the installation files. I would be interested in the result of your test. Good Luck. --Alex mis2ndg () yahoo com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SAP John Madden (Mar 23)
- <Possible follow-ups>
- Re: SAP Alex Alex (Mar 25)