SAP applications could potentially be at risk from an emerging type of exploit known as Server Side Request Forgery (SSRF). That’s the message coming from security researcher Alexander Polyakov at this week’s Black Hat security research conference.
“By tunneling over Gopher we can bypass SAP security restrictions and exploit the system,” Polyakov said.
Gopher is an old Internet protocol that predates the modern HTTP Web that is the ubiquitous form of Internet access today. As it turns out, there is an XML parser on the SAP server that supports both http and gopher. “So in the parser it has a Gopher client,” Polyakov said.
Polyakov’s company has developed a tool called XXE Scanner that can help identify potential SSRF risks in SAP systems. His company worked with SAP to fix the Gopher vulnerability, he said.
“Server Side Request Forgery attacks are very dangerous,” Polyakov said. “Gopher is just one example, and we only really looked at the SAP JavaEE engine.”