Dark Clouds ahead: Attacking a Cloud Foundry Implementation
During the last years, companies decided to opt for cloud technologies and their advantages. This presentation will analyze a proprietary implementation based on Cloud Foundry, developed by SAP. It will not only describe the vulnerabilities found, but also the techniques and tools that led us find them. Live demos of simple information disclosures up to blind sql injections exploits will be shown.
Cloud is one of the most widely adopted technologies currently due to the amount of flexibility it provides at a lower cost than hosting hardware. However, like many good things, it doesn’t come with no strings attached. Complexity, resource sharing, responsibility ambiguity, multiple tiers are just a few of the big list of challenges that need be addressed to securely leverage the benefits of the cloud.
Cloud Foundry, an application platform for cloud computing, has emerged in recent years. Its main objective is to provide a common interface to deploy, manage lifecycle, scale and run applications regardless of the underlying cloud provider. It accomplishes this by using RESTful API’s to establish communication between diverse components.
SAP, leader in the development of business-critical applications, has incorporated this technology into its rapidly growing product, the SAP HANA Platform. XSA, HANA’s application server, is the result of a custom and reduced implementation of the Cloud Foundry application platform.
In this presentation we are going to expose our security research specific to the XSA, showing not only the tools, but also the strategy which allowed us to find several critical vulnerabilities in this component, with special focus on attacking exposed RESTful API’s.
Finally, we’ll show a set of live demos of the vulnerabilities we’ve found; which could be used to pivot from an application directly to the HANA database without authentication, allowing an attacker to not only read sensitive data but also to harm or disrupt critical business processes.