Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Breaking Ed: Hacking Oracle JD-Edwards Systems

Vladimir Egorov & Mikhail Medvedev

1 vote(s)

There's a lot of money riding as on small and medium business also on large companies. But the last one spends much more money on a security as opposed to the tinies. As a result, all small and medium business systems could be easily hacked (if have not been yet).

To demonstrate it this, we will use Oracle JD Edwards EnterpriseOne. Founded in 1977, these days it contains a wide variety of components like Financial Reporting, Cash Management, Payroll, Financial and Sales Analytics. It means, there are as much critical data here as one can imagine. And right now there are more than 3000 JD Edwards servers accessible via the Internet. So, we can say anyone can hack them remotely with no rights in the system.

We will also present a complete attack vector step by step, show how a "forgotten" API and some tricks that may giveaway your system "keys." And it's just the beginning. Although Oracle systems security has been widely covered, we’ll use practical examples instead of common truth and blanket statement


Vladimir is security researcher at ERPScan. He works upon SAP security, particularly upon Web applications. Exploit developer, bug hunter. He spoke at the following conferences: Hack in the Box, ArmSec, and Ekoparty.


Mikhail is an information security researcher, whose main field of interest are ERP systems. Known for discovering vulnerabilities in various products including SAP, Oracle and Microsoft. He is widely experienced in carrying out security audits for production, enterprise and many other corporate systems. He focuses on securing web applications.