SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). In addition, customers can also deploy their own custom Java applications on these platforms.
In December 2010, SAP released an important white-paper describing how to protect against common attacks against these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality is subject to several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms.
This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber-attacks.