Blended Web and Database Attacks on Real-time, In-Memory Platforms

Presented at AppSec USA 2014, Sept. 18, 2014, 3 p.m. (45 minutes).

It is well known there is a race going on in the "Big Data" arena. One of the stronger competitors in the "Big Data" market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, is that it blends everything to increase performance. The database tables, webserver engine, webserver code, authorization, analytics engine, libraries, etc. are all optimized to, if possible, never touch the disk. Surprisingly, this causes a perspective shift for the web and database application threat landscape and how security professionals should address it. For example: * The resources are massive enough that the Database can store all previous versions of the table. We will introduce a new SQL Injection attack vector that abuses a "TIME TRAVEL" feature, providing access to previously deleted data. * The Web Application code is stored in the database and not on the filesystem! Or to put it another way, web application code is executed though a web server engine by retrieving the code directly from the database. We will present Server-Side Javascript exploits performed using SQL queries. * The Database is enhanced with special libraries to support advanced analytics and statistical features, such as integration with the R programming environment. We will demonstrate how, if implemented insecurely, this could lead to exploits "written in R". * The Web Application database queries are typically run in the context of the current users session. In other words, no database credentials are stored in the web application backend code. We will show how an attacker may need to resort to Social Engineering as a critical component of SQL Injection. In this talk we will explore how an attacker might blend old attack vectors to obtain the same or novel goals in the industry-leading Real-Time, In-Memory platform: SAP HANA. We will present live demos of new vulnerabilities discovered by the Onapsis Research Labs team, as well as ways to ensure your platform is protected. Furthermore, we will present a reference framework for professionals that need to assess the security of these unique platforms, as well as sample vulnerable applications for developers to understand how to avoid common pitfalls that would introduce security risks.

Presenters:

  • Juan Perez-Etchegoyen - CTO - Onapsis, Inc.
    Juan Pablo is the CTO of Onapsis, leading the Research and Development teams that keep the Company in the cutting-edge of the ERP security field. Juan Pablo is fully involved in the design, research and development of the innovative Onapsis' software solutions. Being responsible for managing the Onapsis Research Labs, Juan Pablo has also been actively involved in the coordination and research of critical security vulnerabilities in ERP applications and business-critical infrastructure, such as SAP, Oracle and JD Edwards. Juan Pablo has an extensive experience in the information security field, being involved in large research, penetration testing, vulnerability assessment and security implementations projects, among other kind. As a result of his innovative research work, Juan Pablo has been invited to lecture trainings and presentations in some of the most renowned security conferences of the world, such as BlackHat, Source, Deepsec, HITB and Ekoparty, as well as to host private trainings on different aspects of information security for Global Fortune-100 organizations.

Links:

Similar Presentations: