Last week, Onapsis Research Labs launched a new Java Endpoint Analyzer to the community to help identify SAP endpoints. In the spirit of Cybersecurity Awareness Month, and this year’s theme ‘Secure Our World,’ we’re excited to share this with the community and below are a few details, including where to find the Analyzer on Github:
Goal of Java Endpoint Analyzer:
Java Endpoint Analyzer (JEA) helps you assess the scope of an SAP system based on Java in order to understand which HTTP endpoints are exposed. To do so, it automatically analyzes deployment files (like web.xml, webdympro.xml , portalapp.xml) in order to extract out the URLs (endpoints) that the system has. It is meant to be used internally as OS credentials are needed.
It currently works with the following type of applications:
- SOAP Applications
- Portal Apps
The Java Endpoint Analyzer (JEA) discovers all the HTTP endpoints–determining which SAP endpoints have targetable URLs that could be potential points of ingress for attackers. Think of this as auditing all the doors and windows in your house–you can decide to close them or monitor them in any way that you choose.
How Does the Java Endpoint Analyzer Work?
JEA requires credentials of the target SAP system in order to log in through SSH and download specific files. These files are deployment configuration files that each type of webapp uses. Once they are downloaded locally, the analysis phase of the process begins. Every file is parsed and based on what those files state, the entry points are built.
The output of this tool will be an endpoints.json file holding all found HTTP endpoints of the java system.
Java Endpoint Analyzer’s Impact
Onapsis Research Labs’ mission is to help build a safer world. With critical applications and systems being more interconnected than ever, this is one tool that can aid team in looking at their most critical applications within their landscape.
Through the usage of JEA, it was possible for the Onapsis Research Labs team to identify and report several threats that ended up contributing to building a more robust and secure software. Some examples of the most outstanding findings discovered with the help of JEA were: RECON and P4CHAINS.
We hope you find this resource valuable, and to learn more and download JEA visit Github here.