Today, the whole business of a company depends on enterprise business applications. They are big systems that store and process all the critical data of companies. Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored here. This information can include financial, customer or public relations, intellectual property, personally identifiable information, and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s business application and cause significant damage to the business. There are many types of those applications: ERPs, CRMs, SRMs, ESBs. Unfortunately, there is still very little information about the security of those systems, especially how to pentest them.
During our work on OWASP-EAS subproject, we gathered top 10 critical areas (similar to most of the business applications), so we will present a solid approach for pentesting those types of systems. We will look at 3 different systems from top business application vendors: SAP, Oracle and Microsoft, and show how to pentest them using our cheatsheets that will be released for BlackHat as well as a free tool: ERPScan Pentesting Tool.