Volume IV: The Invoker Servlet – A Dangerous Detour into SAP Java Solutions

Download

SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). In addition, customers can also deploy their own custom Java applications on these platforms.

In December 2010, SAP released an important white-paper describing how to protect against common attacks against these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality is subject to several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber-attacks.

Back to Publications

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

CH4TTER: Threat Actors Attacking SAP Applications

Anatomy of an Attack: C2 Incident on SAP

Your S/4HANA Cloud Journey

Volume IV: The Invoker Servlet – A Dangerous Detour into SAP Java Solutions

Volume XVII: Remote Function Call: The Whole Picture

Volume XVI: SAP®️ Security In-Depth: Switchable Authorization Checks: New Workbench and Scenarios

Volume XV: SAP® Security In-Depth: Preventing Cyberattacks Against SAP Solution Manager