When Fuzzing Meets SAP Network Services

Explore the intersection of fuzzing and SAP network services in this 42-minute conference talk from the Hack In The Box Security Conference. Delve into the challenges and solutions of applying automated vulnerability detection techniques to business-critical SAP applications. Learn about the journey from discovering the SAP world to successfully fuzzing blackbox services over custom network protocols. Understand the three main challenges: limited performance due to network layers, the complexity of custom protocols, and the intricacies of crash reproduction and analysis. Discover how these obstacles were overcome, leading to the discovery of 20 new vulnerabilities across six different SAP services. Gain insights into fuzzer selection and modification, test case generation, and crash analysis techniques. Acquire practical knowledge to apply this approach to other complex systems with custom network protocols, potentially uncovering critical remote vulnerabilities. Benefit from the expertise of Yvan Genuer, a Senior Security Researcher at Onapsis with over 15 years of SAP experience, as he shares valuable research findings and methodologies for effective security testing of custom network services.