Overview
Explore blended web and database attacks on real-time, in-memory platforms in this 49-minute conference talk from AppSecUSA 2014. Dive into the unique security challenges posed by platforms like SAP HANA, where databases, web servers, and application code are optimized for performance. Learn about novel attack vectors, including SQL injection exploiting "TIME TRAVEL" features, server-side JavaScript exploits via SQL queries, and potential vulnerabilities in R programming integration. Discover how traditional attack methods may require adaptation in these environments, including the role of social engineering in SQL injection. Gain insights into assessing and securing these platforms through live demonstrations of vulnerabilities, a reference framework for security professionals, and sample applications highlighting common pitfalls for developers.
Syllabus
Intro
In Memory Computing/IMDB
Reasons
Market Leaders
Main Vendors
What is SAP?
A blended architecture (contd)
Impact of vulnerabilities
SAP HANA Concepts
SQL Injection on HANA
Time travel tables and SQL injection
Countermeasures
Cross Site Scripting
Use Security Features
Attacks to the R-Integration
Calling C++ functions
Conclusions
Taught by
OWASP Foundation