CICS is the mostly widely deployed transaction system in the world with more than 20 billion transactions a day. It is mainly deployed on IBM z/OS systems.
Indeed for every person that withdraws money, there is a good to fair chance that multiple CICS applications are involved somewhere in the chain of request. Same goes for banking operators when creating a new account, handling refunds, taxes, etc. The talk will demystify this critical system, explain how it works but mostly how to abuse some of its functions in order to illegitimately read and write business files, access other applications, remotely execute code with zero authentication… The tool Cicspwn will be presented to help pentesters check CICS’s security and exploit all the key weaknesses detailed above.