The official hash tag for HITBSecConf2010 - Amsterdam is #HITB2010AMS
Come see your tweets fly around our on-site Twitter wall!

Alexander Polyakov (Director of IT Security, Digital Security)

Presentation Title Attacking SAP Users Using sapsploit
Presentation Abstract

Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss.

Nowadays SAP platform is the most widespread platform used for enterprise system management and the most critical data storage. Nonetheless people still do not give much attention to the technical side of SAP security. As for SAP server security there you can get information from Mariano presentations on BlackHat 2007 and Blackhat 2009 and you can see how insecure SAP servers and RFC protocol. But what if we found out SAP server fully hardened? Usually when it is hard to attack a server we try to attack a client because in real companies there are thousands of user workstations that use SAP and they are less secure.

At first we will cover common problems at all the levels of SAP security providing examples of the real penetration tests. Then we will focus on client-side vulnerabilities and will show all current methods and new attacks on different client applications and protocols that use in SAP environment. In conclusion we will present tools named Sapsploit and Saptrojan written by DSecRG (Alexander Polyakov, Alexey Sintsov and others) that can make many of the described things automatically and will show the way how can break the corporate network and steal corporate data using these tools.

About Alexander

Alexander Polyakov is the Director of IT security audit department of The Digital Security Company. His expertise covers enterprise applications and database security. He found a lot of vulnerabilities in the products of such vendors as SAP and Oracle, and has made a lot of projects focused on special applications security in oil and gas, retail and banking sphere. He is the author of a book titled “Oracle Security from the Eye of the Auditor. Attack and Defense (in Russian).

He is also the head of Digital Security Research Group (, Expert Council member of PCIDSS.RU association, QSA and PA-QSA auditor and one of the contributors to Oracle with Metasploit project. He has spoken in conferences like, Troopers10, Infosecurity Russia, Ruscrypto and PCIDSSRUSSIA2010.