So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…
Controls to test:
- Default application account credentials
- Weak application password controls
- Poor patching policies
- Directory listing / sensitive information exposure
- Segregation of duties / roles and responsibilities
Default application account credentials:
I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.
Other tests to perform on the application to perhaps gain access are here.
Solution: disable the default app accounts;
Weak application password controls
Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!
Lack of patching:
Simple select statement to view patch levels:
ORDER BY creation_date DESC
Lack of patching on the app leads to many OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues. These include: ibeCZzpEntry.jsp, cskmrelstmts.jsp, cskmslctcat.jsp, cskmslctplat.jsp, csm5Sync.jsp, ibeCScdAgrmntDetail.jsp, ibutpqs.jsp, ieccaleassignexception.jsp and ieccaleexception.jsp
Solution: Patch. Patch. Patch.
Directory listing / sensitive information exposure
See post here
Solution: Reduce the attack surface by removing the JSPs not in use.
Arbitrary File Access vulnerability
Some of the Oracle EBS JSPs are vulnerable to arbitrary file access vulnerabilities eg. bispgrapgh.jsp. I added a check on Nuclei to automate the testing of this 🙂
Big shoutout to the guys below for being ready to help the community in this ERP space:
- David Litchfield
< Post in progress/>