I forgot Your password: Pwning modern password recovery systems through JSON injections

Presented at TROOPERS18 (2018), March 14, 2018, 2:30 p.m. (Unknown duration)

During this talk we'll analyze different vulnerabilities and weaknesses in password recovery mechanisms. To illustrate how dangerous these vulnerabilities can be we'll present a live demo showing how an attacker chaining different bugs in the SAP HANA password recovery mechanism could fully compromise the platform.

Designing a decently secure account recovery functionality, as well as a registration method is not a trivial task. In contrast to authentication systems, and as stated in the OWASP Forgot Password Cheat Sheet, "There is no industry standard for implementing a Forgot Password feature. The result is that you see applications forcing users to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on."

To better illustrate how dangerous and common this situation is, we will go through known reported vulnerabilities and design weaknesses in large-scale technology companies such as Google, Facebook and Microsoft.

After reviewing these cases, we will focus on our recent research assessing SAP HANA's User Self Service, part of the flagship computing platform from SAP. This service enclosures both user registration and recovery features, and allows SAP HANA users to manage accounts without full authentication. We will start by explaining some basic discovered vulnerabilities, such as user enumeration through mishandled SQL errors, host header injections, SQL injections (which allow the activation of known common users), and predictive recovery tokens.

Finally, we will present the main case study reviewing an attack that uses custom JSON injection to leverage an SQL injection which allows an unauthenticated remote attacker to alter user information. By combining different vulnerabilities, we will show how it is possible for potential attackers to hijack the "SYSTEM" user (fully privileged user), gaining full control of the SAP Hana Database and applications.


  • Martin Doyhenard
    Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web security and his areas of interest also includes cryptography and reverse engineering.
  • Nahuel D. S├ínchez
    Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication "SAP Security In-Depth". He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.


Similar Presentations: