Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Scanning for Oracle databases on your network"] [Next entry: "who_can_access.sql : a script to find uses and roles that can access a particular object"]

SQL Injection papers

I am currently making changes after the technical review comments on the new SANS 6 day hands on "Securing Oracle track" and I have mentioned three classic papers written by Rain Forest Puppy in one of the modules that covers the techniques used in SQL Injection. RFP wrote three papers about how SQL injection works and how it can be used to hack with. My reviewer discovered that the links on RFP's site are no longer there. There is a note on his site that he is moving servers. A quick email to the pen-test mailing list at Security Focus's site got me some new links to the same articles. I just re-read them tyhis evening. These are still excellent articles about SQL Injection even if they are a little old. They are not about Oracle but about security and SQL Injection. This phenonima can affect Oracle databases as well as many others so the techniques described are still useful to anyone interested in Oracle security. The links are How I hacked PacketStorm, - (broken link) NT Web Technology Vulnerabilities and RFPlutonium to fuel your PHP-Nuke and are well worth reading. I also wrote a three part paper on SQL Injection in Oracle for security focus, there are links to these papers on my white papers section here.