WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS

WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS

Let’s take a look into the place where critical data is stored for further analytics afterwards. It’s Business Warehouse (BW) and Big Data. Classic online transaction processing systems (OLTP) are not quite suitable to process big data, so they were replaced by OLAP with its multi-dimensional structures. This technology is present in almost all Business Intelligence applications including key vendors like Microsoft, Oracle, and SAP. All the critical corporate data in one place, well… isn’t it a sweet target for an attacker?

The OLAP technology has brought a lot of new terms and concepts into the world: OLAP cube, measures, dimensions, XMLA, and the MDX language, which is used for requests to multi-dimensional data structures. In today’s Business Intelligence (BI) marketplace, most OLAP servers and almost all BI clients talk in MDX. This talk will describe in detail all the entities of this technology and especially the MDX request language. The talk will also feature an overview of possible MDX-related attacks as well as an overview of code injection, data retrieval and update vectors.

Moreover, I will show some examples of the systems that can be exploited by MDX-related vulnerabilities, their system-related differences, post-exploitation vectors, and a cheat-sheet with a tool for simplifying MDX Injections.

Presented by