The official hash tag for HITBSecConf2010 - Amsterdam is #HITB2010AMS
Come see your tweets fly around our on-site Twitter wall!

Mariano Nunez Di Croce (Director of R&D, Onapsis)

Presentation Title SAProuter: An Internet Window to your SAP Platform
Presentation Abstract

Many people still think that SAP systems are only accessible from internal networks by an organization’s employees. Nothing can be further from the truth. The growing need for providing realtime access to business partners, outsourced staff and customers has forced many companies to open their critical business platforms to the Internet, introducing several risks affecting their most valuable business information.

While you may think that your organization is an exception and you’re 100% sure that no remote connections are done to your SAP systems, you will probably need to rethink that: In order to provide support, SAP AG connects to your SAP platform *remotely*, so practically every SAP installation in the world has at least one window to the Internet, the SAProuter. If this component is not implemented securely, this window can allow remote attackers to connect to your SAP systems just as if they were sitting in your Accounting Department.

In this talk you will learn through many live demos, the techniques that you can use to assess the security of these components. You will see how to obtain information from remote SAProuters, perform internal-systems port scans and understand how the exploitation of some obscure features can be used to “deploy” SAProuter agents that will enable access to any application in the company’s internal network.

About Mariano

Mariano Nunez Di Croce is the Director of Research and Development at Onapsis. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications.

Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP Penetration Testing Framework and has discovered more than 50 vulnerabilities in SAP applications. Mariano is also the lead author of the “SAP Security In-Depth” publication.

Mariano has been invited to hold presentations and trainings in many international security conferences such as Blackhat USA/EU, DeepSec, Sec-T,,, Ekoparty, CIBSI as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN.