Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A tuning book and security?"] [Next entry: "creating read only tables"]

An interesting SQL Injection paper

I am currently finishing off making changes from technical review comments for the new 6 day hands on SANS Securing Oracle track that I have written and also completing some of the labs. Yesterday I was working on writing a lab that demonstrates SQL Injection techniques in Oracle so I have been looking into what new papers there are out there on SQL Injection. There are not many specifically aimed at Oracle apart from the three part paper for Security focus last year. Links to the three parts can be found here. There are however quite a few papers on SQL Injection but not aimed at Oracle.

I have been looking at other papers on the subject as even though they are for different databases itís still possible to learn from them. I found a paper and more advanced SQL Injection written by Stephano Di Paola that seems quite interesting. Its written for mySQL and covers SQL Injection for Cross Site Scripting, Phishing and SQL Injection for HTTP response splitting. Even though the paper is not for Oracle i found it interesting material on the subject. The bibliography gives a good list of other SQL Injection, cross site scripting and phishing papers worth reading.