Pete Finnigan's Oracle Security Weblog

I saw a post on Eddie's blog yesterday that has links to 4 SQL Injection papers. The SQL Injection papers post can be found here. SQL Injection is a fact of life nowadays and the security spectrum now seems to focus on one type of interpreter injection method or another. The security of data has moved center stage and the old firewall based security whilst still valid has moved to the wings. Hackers, whatever type, criminal or not seem to focus on data and seem to use sequenced or merged attacks that use techniques like SQL Injection. This means that even if your database is held inside your organisation and is behind multiple firewalls, maybe even not directly accessible externally it could still be attacked. I like to think of techniques like SQL Injection when used "very" creatively is like trying to paint your living room whilst stood in the street and using the front door keyhole as the only access BUT the paint is applied as though you are using a 3 foot wide paint roller. I was at Blackhat in Las Vegas a couple of months ago and was quite excited to hear a presentation that demonstrated how a PC on an internal IP address could be controlled externally using Javascript and iFrames or AJAX. This was so cool. If you are a DBA, developer or anyone implementing Oracle think about SQL Injection, cross site scripting, scripting in general and dont think you are secure just because an application doesnt use the web!